Squashed commit of the following:

commit 02c7d25
Author: Kugamoorthy Gajananan <[email protected]>
Date:   Thu Jan 21 15:39:59 2021 +0900

    Added make target and script to update version in nessary files after building bundle based on new version (IBM#261)

commit 6546dc1
Author: hirokuni-kitahara <[email protected]>
Date:   Thu Jan 21 15:37:29 2021 +0900

    fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (IBM#262)

    * update role & cert duration and fix e2e test issue

    * add event type annotation and fix e2e test

commit 121e937
Author: hirokuni-kitahara <[email protected]>
Date:   Wed Jan 20 22:29:17 2021 +0900

    fix patch functions and add troubleshooting doc (IBM#259)

    * fix patch functions and add troubleshooting doc

    * fix scripts and some parts in doc

commit 0ef8683
Author: Yuji Watanabe <[email protected]>
Date:   Wed Jan 20 22:18:16 2021 +0900

    change from K8s to k8s (IBM#260)

    * change from K8s to k8s

    * fix tested cluster version

Author: yuji-watanabe-jp

Makefile

@@ -298,6 +298,7 @@ delete-test-env:
 	@echo
 	@echo deleting test namespace
 	kubectl delete ns $(TEST_NS)
+	kubectl delete ns $(TEST_NS_NEW)
 	kubectl delete ns $(TEST_UNPROTECTED_NS)
 
 setup-test-resources:
@@ -392,6 +393,7 @@ setup-tmp-cr:
 	yq write -i $(TMP_CR_FILE) spec.keyConfig[1].secretName $(TEST_SECRET2)
 	@echo setup signer config
 	yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[0] $(TEST_NS)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[1] $(TEST_NS_NEW)
 	yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].signers[0] $(TEST_SIGNERS)
 	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].name $(TEST_SIGNERS)
 	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].keyConfig $(TEST_KEYCONFIG)
@@ -524,3 +526,9 @@ create-private-registry:
 
 delete-private-registry:
 	$(ISHIELD_REPO_ROOT)/build/delete-private-registry.sh
+
+.PHONY: update-version
+
+# use this command to update VERSION  after doing 'make build-bundle'
+update-version:
+	$(ISHIELD_REPO_ROOT)/build/update-version.sh

build/update-version.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Copyright 2020 IBM Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
+sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/scripts/install_shield.sh
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}Makefile
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/deploymentForIShield.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCRForTest.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCR.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/default-ishield-cr.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}version/version.go
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}pkg/util/mapnode/node_test.go

integrity-shield-operator/cert/cert.go

@@ -45,7 +45,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		NotBefore:             time.Now(),
-		NotAfter:              time.Now().AddDate(10, 0, 0),
+		NotAfter:              time.Now().AddDate(2, 0, 0),
 	}
 
 	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caKey.PublicKey, caKey)
@@ -92,7 +92,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
 			CommonName: cn,
 		},
 		NotBefore:   time.Now(),
-		NotAfter:    time.Now().AddDate(10, 0, 0),
+		NotAfter:    time.Now().AddDate(2, 0, 0),
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:    x509.KeyUsageDigitalSignature,
 		DNSNames:    []string{cn},

integrity-shield-operator/config/rbac/role.yaml

@@ -39,10 +39,7 @@ rules:
 - apiGroups:
   - apps
   resources:
-  - daemonsets
   - deployments
-  - replicasets
-  - statefulsets
   verbs:
   - create
   - delete
@@ -51,33 +48,14 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - replicasets
-  verbs:
-  - get
-- apiGroups:
-  - apps
-  resourceNames:
-  - integrity-shield-operator
-  resources:
-  - deployments/finalizers
-  verbs:
-  - update
 - apiGroups:
   - ""
   resources:
   - configmaps
-  - endpoints
   - events
-  - persistentvolumeclaims
-  - pods
   - secrets
   - serviceaccounts
   - services
-  - services/finalizers
   verbs:
   - create
   - delete
@@ -86,29 +64,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - servicemonitors
-  verbs:
-  - create
-  - get
 - apiGroups:
   - policy
   resources:

integrity-shield-operator/controllers/integrityshield.go

@@ -27,6 +27,7 @@ import (
 	apiv1alpha1 "github.com/IBM/integrity-enforcer/integrity-shield-operator/api/v1alpha1"
 	res "github.com/IBM/integrity-enforcer/integrity-shield-operator/resources"
 	rsp "github.com/IBM/integrity-enforcer/shield/pkg/apis/resourcesigningprofile/v1alpha1"
+	common "github.com/IBM/integrity-enforcer/shield/pkg/common"
 	admv1 "k8s.io/api/admissionregistration/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -1022,6 +1023,9 @@ func (r *IntegrityShieldReconciler) createOrUpdateWebhookEvent(instance *apiv1al
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      evtName,
 			Namespace: evtNamespace,
+			Annotations: map[string]string{
+				common.EventTypeAnnotationKey: common.EventTypeValueReconcileReport,
+			},
 		},
 		InvolvedObject:      involvedObject,
 		Type:                evtSourceName,

integrity-shield-operator/controllers/integrityshield_controller.go

@@ -41,13 +41,8 @@ type IntegrityShieldReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
-// +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,resourceNames=integrity-shield-operator,verbs=update
-// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
-// +kubebuilder:rbac:groups=apps,resources=deployments;replicasets,verbs=get
+// +kubebuilder:rbac:groups=core,resources=services;serviceaccounts;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apis.integrityshield.io,resources=integrityshields;integrityshields/finalizers;shieldconfigs;signerconfigs;resourcesigningprofiles;resourcesignatures;helmreleasemetadatas,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=*
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=*

integrity-shield-operator/test/e2e/e2e_test.go

@@ -418,25 +418,25 @@ var _ = Describe("Test integrity shield", func() {
 				framework := initFrameWork()
 				var timeout int = 120
 				expected := "test-configmap"
-				By("Creating new namespace: " + test_namespace)
-				cmd_err := Kubectl("create", "ns", test_namespace)
+				By("Creating new namespace: " + test_namespace_new)
+				cmd_err := Kubectl("create", "ns", test_namespace_new)
 				Expect(cmd_err).To(BeNil())
-				By("Creating test configmap in ns: " + test_namespace)
-				cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace)
+				By("Creating test configmap in ns: " + test_namespace_new)
+				cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace_new)
 				Expect(cmd_err).NotTo(BeNil())
 				Eventually(func() error {
-					return CheckBlockEvent(framework, "no-signature", test_namespace, expected)
+					return CheckBlockEvent(framework, "no-signature", test_namespace_new, expected)
 				}, timeout, 1).Should(BeNil())
 			})
 			It("Signed resource should be allowed in new namespace", func() {
 				framework := initFrameWork()
 				var timeout int = 120
 				expected := "test-configmap-annotation"
-				By("Creating test configmap in ns: " + test_namespace)
-				cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace)
+				By("Creating test configmap in ns: " + test_namespace_new)
+				cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace_new)
 				Expect(cmd_err).To(BeNil())
 				Eventually(func() error {
-					return CheckConfigMap(framework, test_namespace, expected)
+					return CheckConfigMap(framework, test_namespace_new, expected)
 				}, timeout, 1).Should(BeNil())
 			})
 			It("Resources in unmonitored ns can be created without signature", func() {

integrity-shield-operator/test/e2e/framework.go

@@ -48,6 +48,7 @@ var (
 	kubeconfig_user                   = os.Getenv("KUBE_CONTEXT_USERNAME")
 	ishield_namespace                 = os.Getenv("ISHIELD_OP_NS")
 	test_namespace                    = os.Getenv("TEST_NS")
+	test_namespace_new                = os.Getenv("TEST_NS_NEW")
 	test_unprotected_namespace        = os.Getenv("TEST_UNPROTECTED_NS")
 	shield_dir                        = os.Getenv("SHIELD_OP_DIR")
 	deploy_dir                        = shield_dir + "test/deploy/"

ishield-build.conf

@@ -30,6 +30,7 @@ WATCH_NAMESPACE=integrity-shield-operator-system
 SHIELD_DIR=${ISHIELD_REPO_ROOT}/shield/
 SHIELD_OP_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/
 TEST_NS=test-ns
+TEST_NS_NEW=test-ns-new
 TEST_UNPROTECTED_NS=unprotected-test-ns
 ENVTEST_ASSETS_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin
 TEST_ASSET_ETCD=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin/bin/etcd

shield/pkg/common/common.go

@@ -67,6 +67,16 @@ const (
 	LabelValueUnverified = "unverified"
 )
 
+const (
+	EventTypeAnnotationKey   = "integrityshield.io/eventType"
+	EventResultAnnotationKey = "integrityshield.io/eventResult"
+
+	EventTypeValueReconcileReport = "reconcile-report"
+	EventTypeValueVerifyResult    = "verify-result"
+	EventResultValueAllow         = "allow"
+	EventResultValueDeny          = "deny"
+)
+
 type SignatureType string
 
 const (